Updated: 18 January, 2024
4 January, 2024
At Codific we are very proud to be the main sponsor of Chess International Master Emin Ohanyan who recently won the European Rapid and Blitz Chess Championships hosted in Zagreb, Croatia. Congratulations Emin! As a company dedicated to developing software solutions you may be wondering, why would we sponsor a chess player? There are two main reasons for this. First and most importantly, we are committed to the development of exceptional talent and this is not only limited to our employees. Emin is an exceptional talent and that is why we are committed to help him achieve his dream of becoming a World Chess Champion. Secondly, chess in many ways has parallels with what our company does, especially with our involvement in the Application Security (AppSec) industry. This blog post focuses on some of those parallels, giving further insight into the world of AppSec through the beautiful game of chess.
- Strategic foresight in AppSec is akin to a chess player’s ability to think several steps ahead, crucial for anticipating and mitigating cyber threats.
- Being prepared for unexpected challenges is vital in both chess and AppSec, highlighting the importance of robust recovery strategies.
- Both chess and AppSec feature a virtually endless learning curve, emphasizing the need for continuous learning and adaptation.
- Making informed trade-offs, whether in resource allocation in AppSec or in strategic sacrifices in chess, is key to achieving success.
- Tools in AppSec, are as crucial as each chess pieces on the board, each serving a specific, strategic purpose.
- SAMMY in the AppSec world parallels the strategic depth of chess, offering an innovative approach to managing AppSec complexities.
All about thinking ahead
In both AppSec and chess you need to think ahead and be able to predict what your opponent is going to do. The best chess players are able to think several steps ahead, which grants them a big advantage over their opponent.
In the AppSec world, the experts are also able to do this by, for example, being able to think of threats and attack avenues that no one, sometimes not even the attackers are able to think about. By doing this, AppSec experts are able to already build software in a way that neutralizes these threats and attack avenues. Threat modeling is one the main ways this is done in the AppSec world.
You need to have a plan for when things go wrong
In chess, things will go wrong eventually. You may make a mistake and hang an important piece, you may miss an important move or not see the move your opponent was planning to make. In those situations, it is important to plan ahead, you need to ensure that you have previously positioned your pieces in a way that allows you to recover.
Same holds in AppSec. You need to make sure that you are doing things correctly from the beginning so when things go wrong, you are prepared. As we say in the world of application security: “It is not a matter of if you will be hacked, it is a matter of when”. To prepare for this, one of the most important things is to have a Disaster Recovery Plan in place that identifies all the assets (hardware, software, data), roles (responsibilities) and procedures (actions) for different scenarios. Similar to how in chess you also have to have a plan that identifies the different assets (pieces), roles (the way the pieces move) and procedures (moves) for different scenarios.
There are tradeoffs you need to make
Some of the most impressive plays in chess involve sacrificing a piece, even an important piece like the queen, to get into a winning position. This is a tradeoff, you are giving up something for something in return.
In AppSec, the same holds. Often you need to consider application security in the context of an organization with limited resources. Thus, if you spend these resources in improving your AppSec in one area, you may not have enough resources to improve your AppSec in others. To illustrate this further we can look at the SAMM Model.
SAMM is an AppSec programme that maps the different areas (business practices) in which you can expend resources to improve your application security. It offers a risk-based approach, meaning that the work and resources you use to improve your application security in the different business practices should be based on your organization’s risk appetite. In any case, when you spend more resources in one practice, say Policy and Compliance, you will have less resources to spend in other areas, like Secure Architecture. Therefore, same as in chess, AppSec has a lot of tradeoffs you need to consider.
If you want to learn more about SAMM, then you can check out the free SAMM training.
The learning curve in both is virtually endless
While being a relatively simple game, where the rules and the goal of it are easy to understand, chess has a tremendous learning curve, virtually endless. It is estimated that in chess, there are around 10^40 possible positions you can find yourself in, when sticking by the rules. Therefore, the learning curve is virtually endless, as in every single one of those positions there is an optimal move to make.
The learning curve in AppSec is also virtually endless, with the world of cybercrime being ever expanding and evolving. The developing and refinement of new attack vectors, vulnerabilities and forms of malware is constant. Therefore, same as in chess, to be able to be good at AppSec you need to be constantly learning and keeping up with the evolution of the “game”.
Start your AppSec learning with the OWASP SAMM Training!
Predefined optimal ways to play the game exist
In chess, every position has a best move, a move that grants you the biggest chances of winning. Optimal sequences of moves also exist. For example, depending on how you like to play the game there are different openings you can use and different responses to these openings. Being able to always recognize the best moves in every position is what separates a great player from just an amateur one.
In AppSec, it’s similar. There are a series of best practices that can provide you with the best chances of successfully defending and protecting a system. For example, there are several secure coding and deployment practices that are important during the implementation stage in the secure software development lifecycle (SSDLC). You can learn more about them here.
To learn more about the secure software development lifecycle, check out this blog.
In chess you have pieces, in AppSec tools
Finally, in chess every one of your pieces plays a role in your road to victory (or, hopefully not, defeat). You need to understand how to leverage each one in a correct way, understanding the roles they play, their overall importance and obviously, the way they move. Therefore, each piece serves as a tool you can use to win.
Tools are also present in AppSec. For example, in the testing phase of the SSDLC, you can leverage static application security testing (SAST) and dynamic application security testing (DAST) tools to automate the testing process, removing the subjectivity from it and improving its efficiency.
Nevertheless, as the SAMM model above shows, there are a lot of areas and practices to consider within AppSec. Managing all of that without a proper tool is not optimal, which is why we created SAMMY, our software assurance maturity model management tool.
Try it out for free here.
In summary, the connection between chess and AppSec, as highlighted in this blog, reveals the importance of strategy, preparedness, and continuous learning in both fields. Chess, with its emphasis on foresight and adaptability, mirrors the challenges and decision-making processes in application security. Tools play a crucial role in both areas, aiding in efficient and effective management of resources and risks.
At Codific, our support for chess prodigy Emin Ohanyan aligns with our commitment to these principles, emphasizing strategic thinking and continuous improvement. This partnership reflects our dedication to excellence in the ever-evolving landscape of application security. We invite you to explore this fascinating intersection of chess and AppSec further through our OWASP SAMM training, embarking on a journey of discovery and mastery in the intricate world of application security. Moreover, make sure to check out SAMMY, for all your AppSec management needs.